asked on

Powershell Script for saving logs from Domain Controller

Hi,

I got a request in from one of our IT security officers who would like a copy of all Domain controller event logs to be kept for analysis. The IT security officer it particularly interested in events 4706/4707 (Domain trust records created/deleted). The IT security officer also wants to know how far back the data relates to.

Is there a powershell script that can be run to help acquire getting this information? We have a number of different domains but he has asked for two in particular.

ASKER CERTIFIED SOLUTION

Kash

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Hariom

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Will Szymkowski

Personally this should be done by using Event Subscriptions Server. See Event Subscripts Setup at the following link below...
https://technet.microsoft.com/en-us/library/cc749183.aspx

The IT security officer also wants to know how far back the data relates to

The logs will only reference back before they get overwritten. Depending if you have auditing enabled your logs may get overwritten hourly due to all of the audit events in the Security Logs. It is a good idea to set the logs on EACH of the DC's to a minimum of 1GB. This is so that when you do event collections you will be able to get all of the logs depeneding on how often it is run against the DC's. If you are not querying the DC's often then your log size should be larger. If not, they will get overwritten.

If you are still set on collecting event log data using powershell then I would recommend using Export-EventLog.ps1 script. See below link for download.
https://gallery.technet.microsoft.com/scriptcenter/Export-EventLog-18a87c2c

Will.